Android OkCupid bug left daters wide open to hackers

Android users of OkCupid are being urged to update the app after security flaws were found in the app that could allow hackers to steal credentials.

Researchers from Israeli security firm Checkmarx sounded the alarm when they discovered an exploit that could see hackers take advantage of the app’s reliance on external browsers.

When the OkCupid app fetches messages from other users, it does so with its own browser bundled in the app. While the app outsources most links to an external browser, the researchers found it was trivial to create a malicious link that would trick the app into opening it with its own browser, by adding a specific string to the URL. Once opened in the app, a message would then ask the user to enter their log-in details.

“There was absolutely no way for an unsuspecting user to know that this wasn’t OkCupid, but, instead, a page made to look like OkCupid,” Checkmarx’s head of security research, Erez Yalon, told Consumer Reports.

With those details obtained, a cybercriminal could take advantage of all the data that dating accounts hold – name, email address, location and so forth – for identity theft, bank fraud or stalking. An attacker could even intercept messages between users, reading private messages and tracking their location. “Users wouldn’t know the application had been attacked,” said Yalon. “Everything worked completely normally, so they’d continue to use it.”

The researchers were particularly alarmed, because the exploit could have become self-propagating, automatically sending messages from one OkCupid user to all of their contacts, putting a huge number of users at risk.

The good news is that if you’re running the latest version, you’re already protected. Checkmarx disclosed the vulnerability to OkCupid on 15 November 2018, and a fix was rolled out on 4 January 2019. The same exploit doesn’t work in a mobile browser, or the iOS version.

Are you worried by dating app malware? Let us know on Twitter: @TrustedReviews.